CVE-2025-14829

Critical

Published: 13 January 2026

Published

13 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0012 30.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly counters the insufficient file path validation by requiring organizations to validate all inputs, preventing arbitrary file deletion via malicious paths.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, such as patching the vulnerable E-xact WordPress plugin, to eliminate the arbitrary file deletion capability.

CM-5 Access Restrictions for Change partial match

prevent

Restricts logical access for changes like file deletions, providing compensating protection through hardened file permissions even if path validation fails.

Security SummaryAI

CVE-2025-14829 is a critical vulnerability in the E-xact | Hosted Payment WordPress plugin through version 2.0, stemming from insufficient file path validation that enables arbitrary file deletion. Published on 2026-01-13, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting its high impact on integrity and availability with no confidentiality impact.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows deletion of arbitrary files on the affected server, potentially disrupting services, destroying data, or enabling further compromise by targeting critical configuration files, logs, or other system resources.

Mitigation details are outlined in the WPScan advisory at https://wpscan.com/vulnerability/872569bc-16fb-427f-accc-147f284137cd/. Security practitioners should review it for patching guidance, such as updating to a fixed version if available or implementing compensating controls like file permission hardening.

Details

CWE(s): None listed

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of public-facing WordPress plugin (T1190) enables arbitrary file deletion for indicator removal (T1070.004) and data destruction (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://wpscan.com/vulnerability/872569bc-16fb-427f-accc-147f284137cd/
contact@wpscan.com